This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jack_723
Explorer
‎2025-07-23 03:20 AM

A suspicious traffic log was observed during monitoring

Hi Experts,

"After an internal user attempted to connect to Microsoft Outlook, we observed in the logs that a Microsoft public IP accessed the external interface of the Internet firewall using port 443.

Could you please explain why this is happening? Thank you.
CP_LOG_detail.jpgCP_LOG1.jpg

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2025-07-23 04:28 AM

It is hard to say exactly from the logs you showed, what it is, without some additional date.

The log says "Accept", but does it show a rule number?

Considering the source port is SSL, this looks like Server to client traffic. It is very likely someone is using O365, and this is either an orphan server to client communication, or part of legitimate data from MS, to a client NAT-ed behind your Internet FW IP address. 

I would look for the policy rule number and for NAT parameters of that specific log entry, to drill down, before jumping to any conclusion.

0 Kudos
jack_723
Explorer
‎2025-07-23 07:59 PM
In response to _Val_

Thank you for your reply.

First, I tried querying the destination IP: 40.104.21.66, but found no log records. In my production environment, it appears that no internal user is initiating connections to this Microsoft IP.
However, in reality,  connecting to Outlook will trigger this log entry.
When I queried the source IP: 40.104.21.66, there were log entries—just like the image I previously provided.
The rule name shows: CPNotEnoughDataForRuleMatch, and there are no other logs related to this IP.

I’ve also reviewed SK113479 and looked into similar cases reported by other users in the forums where this rule was triggered.
However, I haven’t seen anyone experiencing the same situation as in my production environment — specifically, an external IP initiating a connection to the firewall’s external interface over port 443.

 

Based on what I’ve seen from other users and my own lab testing, this CPNotEnoughDataForRuleMatch rule more commonly appears when an internal user connects to a public IP over port 443, and there are usually related logs as well. But in my production environment, the situation appears to be the opposite.

The following image is from my lab environment, and the situation is very similar to what other users have reported in the forums. 
lab.jpglab_log.jpg

lab2.jpg

 

Thank you.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-24 12:41 PM
In response to jack_723

The reason this message occurs is because the first rule that potentially matches traffic going to the gateway's external IP is an Application Control signature, not a simple TCP service.
Potential match rules are those where a rule contains the source, destination, and service (in the TCP/UDP sense).
Whatever connection is being initiated to the gateway is being terminated before we can determine what rule SHOULD have accepted the traffic.
That's basically what https://support.checkpoint.com/results/sk/sk113479 says, and it's expected behavior.

Why the connection occurs in the first place is a separate question, of course.
Eliminating this type of log entry means modifying the rulebase. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events